http://www.aboutauditing.blogspot.com Audit An audit is an evaluation(Qeemat Ka Andaza Lagana) of a person, organization, system, process, enterprise, project or product.

t. The term most commonly refers to audits in accounting, but similar concepts also exist in project management, quality management, and energy conservation(Hifazat).

IT/IS Audit An Information Technology audit, or Information Systems audit, is an examination of the management controls within an IT infrastructure. Information Systems audit is a part of the overall audit process, which is one of the facilitators for good corporate governance.

Software Audit Our Software audit provide users with ability to gather data and manage all active processes on their computer, Valuable and personal data is not shared to external source as a result of using this audit software.

Categories of Software Audits

Software audits can be categorized as

A software licensing audit, where a user of software is audited for licence compliance A software quality assurance, where a piece of software is audited for quality A software audit review, where a group of people external to a software development organisation examines a software product A physical configuration audit A functional configuration audit

Need for IS Control & Audit Computers are used extensively to process data and to provide information for decision making. Initially, they were available only to larger organization that could afford their high purchase and operation costs. The advantage of minicomputers and the rapid decrease in the cost of computers technology then enabled medium-sized organization to take advantages of computers for their data processing. Nowadays, the widespread availability of powerful microcomputers and their associated packaged software has resulted in the extensive use of computers in the workplace and at home. Given the intensely marketplace for computer hardware and software technology, the rapid diffusion of computers in our economies will continue. Because computers play such a larger part in assisting to process data and to make decisions, it is important that their use be controlled. Figure shows seven major reasons for establishing a function to

examine controls over computer-based data processing. In the following subsections, we examine their reasons.

1) Organizational Costs of data loss Such losses can occur when existing controls over computers are lax. For Example, management might not provide adequate backup for computers files. Thus, the loss of a file through computer program error, sabotage or natural disaster means the file cannot be recovered, and the organizations continuing operations are thereby impaired. 2) Costs of Incorrect decision making The important of accurate data in computer system depends on the types if decisions made by persons having some interest in an organization. For example, if managers are making strategic planning decisions, they will probably tolerate some errors in the data given the long-run nature of strategic planning decisions and the inherent uncertainty surrounding these types of decisions. If managers are making control; and operational control decisions, however they will probably require highly accurate data. These types of decisions involve detection, investigation and correction of out-of-control process. Thus, inaccurate data can cause costly, unnecessary investigation to be undertaken or out-of-control process to remain undetected. 3) Costs of computer abuse Computer abuse to be any incident associated with computer technology in which a victim suffered or could have suffered loss and a perpetrator by intention made or could have made gain. Some major types of computer abuse that an organization might encounter included the following: Hacking Viruses Illegal physical access

Abuse of privileges Destruction of assets Theft of assets Modification of assets Physical harm to personnel

4) Value of hardware, software, personnel In addition to data, computer hardware, software and personnel are critical organizational resources. Some organizations have million dollar investments in hardware. Even with adequate insurance, the intentional or unintentional loss of hardware can cause considerable disruption, Similarly, software often constitutes a considerable investment of an organizations resources. If the software is corrupted or destroyed, the organization might be unable to continue operations if it cannot recover the software promptly. If the software is stolen, confidential information could be disclosed to competitors; or, if the software is a proprietary page, lost revenues or lawsuits could arise. Finally, personnel are always a valuable resource, particularly in light of an ongoing scarcity of well-trained computer professionals in many countries. 5) High costs of computer error Computers now automatically perform many critical functions with our society. For example, they monitor the condition of patience during surgery, direct the flight of a missile, control a nuclear reactor, and steer a ship on its course. Consequently, the costs of a computer error in the term of loss of life, deprivation of liberty, or damage to the environment can be high. For example, data error in a computer system used to control flight paths result in the death of 257 people when an airplane crashed into a mountain in Antarctica; a person was jailed incorrectly for five months because of erroneous data contained in a computer system. 6) Maintenance of privacy Define your self 7) Controlled evolution of computers From time to time, major conflicts arise over how computer technology should be sued in our societies. It might be argued that technology is neutralit is neither good nor bad. The use of technology, however, can produce major social problems. In this light, important, ongoing decisions must be made about how computers should be used in our societies. Governments, professional bodies, pressure groups, organizations and individual persons all must be concerned with evaluating and monitoring how we deploy computer technology. What triggers an audit..? *Escaped Objectives of IT/IS Audit

IS auditing is the process of collecting evidence to determine whether a computer system safeguard assets, maintian data integrity, allows organiztional goals to be achieved effectively, and uses resources efficently. In the following subsection, we consider each of these objectives in detial. Asset Safeguarding Objectives The IS assets of an organization include Hardware, Software, Facilities, People (knowledge), Data files, System documentation and Supplies. Like all assets they must be protected by a system of internal control. Data integrity objectives Data integrity is a fundamental concept in IS auditing. It is a state implying data has certain attributes: Completeness, Soundness, Purity and Veracity. If data integrity is not maintained, an organization no longer has a true representation of itself or of events. Moreover if the integrity of an organizations data is low, it could suffer from loss of competitive advantage. Three major factors affect the value of a data item to an organization: 1. The value of the information content of the data item for individual decision makers 2. The extent to which the data item is shared among decision makers 3. The value of the data item to competitors. System Effectivness Objectives & System Efficiency Objectives Reference: page 36 http://books.google.com.pk/books?id=rLvehDVJG_EC&pg=PA29&lpg=PA29&dq=factor+influencing+org anization+toward+control+and+audit+of+computer&source=bl&ots=QewCsikkU0&sig=2WXlVw415lnAALHxnVgmQjHvcY&hl=en&ei=_Lq7TsJFMbMswbix6nSBg&sa=X&oi=book_result&ct=result&resnum=2&ved=0CCMQ6AEwAQ#v=onepage&q& f=true Purpose of IT Audit An IT audit should not be confused with a financial statement audit. While there may be some abstract similarities, a financial audit's primary purpose is to evaluate whether an organization is adhering to standard accounting practices. The primary functions of an IT audit are to evaluate the system's internal control design and effectiveness. Types of Information System Audits Innovative Comparison Audit. This audit is an analysis of the innovative abilities of the company being audited, in comparison to its competitors. This requires examination of company's research and development facilities, as well as its track record in actually producing new products. Technological Position Audit: This audit reviews the technologies that the business currently has and that it needs to add. Technologies are characterized as being either "base", "key", "pacing" or "emerging".

Others describe the spectrum of IT audits with five categories of audits: 1. Systems and Applications: An audit to verify that systems and applications are appropriate, efficient, and adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a system's activity. 2. Information Processing Facilities: An audit to verify that the processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions. 3. Systems Development: An audit to verify that the systems under development meet the objectives of the organization, and to ensure that the systems are developed in accordance with generally accepted standards for systems development. 4. Management of IT and Enterprise Architecture: An audit to verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for information processing. 5. Client/Server, Telecommunications, Intranets, and Extranets: An audit to verify that telecommunications controls are in place on the client (computer receiving services), server, and on the network connecting the clients and servers. Elements IT/IS Audit *Escaped What Tools do IT Auditors require? *Escaped Audit Process or Audit-Main Steps Since the goal of the audit is to "understand" the operation of the business, the main steps are to Audit Process Planning: The objectives, scope and methodology of the audit are determined. Examining: During the examining phase the audit testing, produces information that is sufficient, and useful for audit findings and recommendations. Communicating: At the conclusion of an audit, a final report is issued. The activities performed by Audit may result in a varied approach to report writing, however the primary focus is to ensure the client has a clear understanding of the audit outcomes (e.g. findings, recommendations) and is in a position to move forward in relation to those issues.

Internal vs External Audit Audit function can be performed Internally or Externally

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. External Audit is an audit conducted by an individual of a firm that is independent of the company being audited. Responsible to stockholders and public via board of Directors

Internal Audit Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Scope of Internal Audit or Objectives Audit and Control The scope of internal auditing within an organization is broad and may involve topics such as: Efficacy of operations. Reliability of financial reporting. Determining and investigating fraud. Safeguarding assets, and Compliance ( ) with laws and regulations.

It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance(Hukmarani) processes. However, Internal auditors are not responsible for the execution of company activities. Motivation for Control & Audit *Escaped Internal Auditors Scope of Work- SCARE Safeguarding assets. Compliance with policies and plans. Accomplishment of established objectives. Reliability & integrity of information. Economics & efficient use of resources.

Internal Controls In auditing Internal Control is defined as a process effected by an organization's structure, work and authority flows, people and Management Information Systems, designed to help the organization accomplish specific goals or objectives. Internal controls are designed to provide reasonable assurance regarding the achievement of objectives in the following categories: 1. Effectiveness and efficiency of operations. 2. Reliability of financial reporting. 3. Compliance with applicable laws and regulations. Controls - System of activities: 1. Detective Controls: are designed to detect errors or irregularities that may have occurred. 2. Corrective Controls: are designed to correct errors or irregularities that have been detected. 3. Preventive Controls: on the other hand, are designed to keep errors or irregularities from occurring in the first place. IT Controls Information Technology controls (or IT controls) are specific activities performed by persons or systems designed to ensure that business objectives are met. IT controls are often described in two categories: 1. IT General Controls ITGC and 2. IT Application Controls. ITGC include controls over the Information Technology (IT) environment, computer operations, access to programs and data, program development and program changes. ITGC usually include the following types of controls: Control Environment Change Management procedures Control Activities Information and Communication Monitoring

IT Application Controls refer to transaction processing controls, sometimes called "input-processingoutput" controls. IT Application Controls usually include the following types of controls: Completeness checks. Validity checks Identification Identification Authentication Authorization Input controls

Limitations of Internal Controls Judgment Breakdowns Management Override Collusion

------------------------------------------------------------------------------------------------------------------------------What do IT auditors do? An IT audit should not be confused with a financial statement audit. While there may be some abstract similarities, a financial audit's primary purpose is to evaluate whether an organization is adhering to standard accounting practices. The primary functions of an IT audit are to evaluate the system's internal control design and effectiveness.

IT Audit Process or Phase To minimize or eliminate the possibility of assessing audit risk the auditor should perform the following steps: 1. Obtain an understanding of the organization and its environment: To understanding weakness of the organization and the scope of the audit. 2. Identify the business risks: The auditor must evaluate an organizations business risks. An organizations business risks can arise or change due to new personnel or new or restructured information systems.

3. Evaluate the organizations response to those risks: Once the auditor has evaluated the organizations response to the assessed risks, the auditor should then obtain evidence of managements actions toward those risks. 4. Assess the risk of Material Misstatement: Then auditor assesses the risk of material misstatements and determines specific audit procedures that are necessary based on that risk assessment. 5. Evaluate results and issue Audit Report: At this level, the auditor should determine if the assessments of risks were appropriate and whether sufficient evidence was obtained.

Roles of IT Audit Team

IT Audit Skills College Education : Graduate in IS, Computer Science, Accounting or related discipline Certifications : CPA, CFE, CIA, CISA, CISSP, and special technical certifications Technical IT audit skills : Specialized technologies General personal and Business skills

Job Tasks and Responsibilities Design a technology-based audit approaches; analyzes and evaluates enterprise IT processes Works independently or in a team to review enterprise IT controls Examines the effectiveness of the information security policies and procedures

Develops and presents training workshops for audit staff Conduct and oversees investigation of inappropriate computer use Performs special projects and other duties as assigned

IT Governance The process for controlling an organizations IT resources, including information and communication systems, and technology. Financial vs IT Audits Financial audit: Official examination of accounts to see that they are in order. IT audit: Official examination of IT related processes to see that they are in order. IT auditors may work on every step of the financial audit engagement